mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 05:50:55 +01:00
Add a bin/auth revoke
revoker for SSH keys
Summary: Ref T13043. Adds CLI support for revoking SSH keys. Also retargets UI language from "Deactivate" to "Revoke" to make it more clear that this is a one-way operation. This operation is already correctly implemented as a "Revoke" operation. Test Plan: Used `bin/auth revoke --type ssh` to revoke keys, verified they became revoked (with proper transactions) in the UI. Revoked keys from the web UI flow. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13043 Differential Revision: https://secure.phabricator.com/D18893
This commit is contained in:
parent
39c3b10a2f
commit
fa1ecb7f66
8 changed files with 70 additions and 16 deletions
|
@ -2105,7 +2105,6 @@ phutil_register_library_map(array(
|
|||
'PhabricatorAuthRevoker' => 'applications/auth/revoker/PhabricatorAuthRevoker.php',
|
||||
'PhabricatorAuthSSHKey' => 'applications/auth/storage/PhabricatorAuthSSHKey.php',
|
||||
'PhabricatorAuthSSHKeyController' => 'applications/auth/controller/PhabricatorAuthSSHKeyController.php',
|
||||
'PhabricatorAuthSSHKeyDeactivateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyDeactivateController.php',
|
||||
'PhabricatorAuthSSHKeyEditController' => 'applications/auth/controller/PhabricatorAuthSSHKeyEditController.php',
|
||||
'PhabricatorAuthSSHKeyEditor' => 'applications/auth/editor/PhabricatorAuthSSHKeyEditor.php',
|
||||
'PhabricatorAuthSSHKeyGenerateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php',
|
||||
|
@ -2113,12 +2112,14 @@ phutil_register_library_map(array(
|
|||
'PhabricatorAuthSSHKeyPHIDType' => 'applications/auth/phid/PhabricatorAuthSSHKeyPHIDType.php',
|
||||
'PhabricatorAuthSSHKeyQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyQuery.php',
|
||||
'PhabricatorAuthSSHKeyReplyHandler' => 'applications/auth/mail/PhabricatorAuthSSHKeyReplyHandler.php',
|
||||
'PhabricatorAuthSSHKeyRevokeController' => 'applications/auth/controller/PhabricatorAuthSSHKeyRevokeController.php',
|
||||
'PhabricatorAuthSSHKeySearchEngine' => 'applications/auth/query/PhabricatorAuthSSHKeySearchEngine.php',
|
||||
'PhabricatorAuthSSHKeyTableView' => 'applications/auth/view/PhabricatorAuthSSHKeyTableView.php',
|
||||
'PhabricatorAuthSSHKeyTransaction' => 'applications/auth/storage/PhabricatorAuthSSHKeyTransaction.php',
|
||||
'PhabricatorAuthSSHKeyTransactionQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyTransactionQuery.php',
|
||||
'PhabricatorAuthSSHKeyViewController' => 'applications/auth/controller/PhabricatorAuthSSHKeyViewController.php',
|
||||
'PhabricatorAuthSSHPublicKey' => 'applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php',
|
||||
'PhabricatorAuthSSHRevoker' => 'applications/auth/revoker/PhabricatorAuthSSHRevoker.php',
|
||||
'PhabricatorAuthSession' => 'applications/auth/storage/PhabricatorAuthSession.php',
|
||||
'PhabricatorAuthSessionEngine' => 'applications/auth/engine/PhabricatorAuthSessionEngine.php',
|
||||
'PhabricatorAuthSessionEngineExtension' => 'applications/auth/engine/PhabricatorAuthSessionEngineExtension.php',
|
||||
|
@ -7390,7 +7391,6 @@ phutil_register_library_map(array(
|
|||
'PhabricatorApplicationTransactionInterface',
|
||||
),
|
||||
'PhabricatorAuthSSHKeyController' => 'PhabricatorAuthController',
|
||||
'PhabricatorAuthSSHKeyDeactivateController' => 'PhabricatorAuthSSHKeyController',
|
||||
'PhabricatorAuthSSHKeyEditController' => 'PhabricatorAuthSSHKeyController',
|
||||
'PhabricatorAuthSSHKeyEditor' => 'PhabricatorApplicationTransactionEditor',
|
||||
'PhabricatorAuthSSHKeyGenerateController' => 'PhabricatorAuthSSHKeyController',
|
||||
|
@ -7398,12 +7398,14 @@ phutil_register_library_map(array(
|
|||
'PhabricatorAuthSSHKeyPHIDType' => 'PhabricatorPHIDType',
|
||||
'PhabricatorAuthSSHKeyQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
|
||||
'PhabricatorAuthSSHKeyReplyHandler' => 'PhabricatorApplicationTransactionReplyHandler',
|
||||
'PhabricatorAuthSSHKeyRevokeController' => 'PhabricatorAuthSSHKeyController',
|
||||
'PhabricatorAuthSSHKeySearchEngine' => 'PhabricatorApplicationSearchEngine',
|
||||
'PhabricatorAuthSSHKeyTableView' => 'AphrontView',
|
||||
'PhabricatorAuthSSHKeyTransaction' => 'PhabricatorApplicationTransaction',
|
||||
'PhabricatorAuthSSHKeyTransactionQuery' => 'PhabricatorApplicationTransactionQuery',
|
||||
'PhabricatorAuthSSHKeyViewController' => 'PhabricatorAuthSSHKeyController',
|
||||
'PhabricatorAuthSSHPublicKey' => 'Phobject',
|
||||
'PhabricatorAuthSSHRevoker' => 'PhabricatorAuthRevoker',
|
||||
'PhabricatorAuthSession' => array(
|
||||
'PhabricatorAuthDAO',
|
||||
'PhabricatorPolicyInterface',
|
||||
|
|
|
@ -80,8 +80,8 @@ final class PhabricatorAuthApplication extends PhabricatorApplication {
|
|||
'generate/' => 'PhabricatorAuthSSHKeyGenerateController',
|
||||
'upload/' => 'PhabricatorAuthSSHKeyEditController',
|
||||
'edit/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyEditController',
|
||||
'deactivate/(?P<id>\d+)/'
|
||||
=> 'PhabricatorAuthSSHKeyDeactivateController',
|
||||
'revoke/(?P<id>\d+)/'
|
||||
=> 'PhabricatorAuthSSHKeyRevokeController',
|
||||
'view/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyViewController',
|
||||
),
|
||||
'password/' => 'PhabricatorAuthSetPasswordController',
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
|
||||
final class PhabricatorAuthSSHKeyDeactivateController
|
||||
final class PhabricatorAuthSSHKeyRevokeController
|
||||
extends PhabricatorAuthSSHKeyController {
|
||||
|
||||
public function handleRequest(AphrontRequest $request) {
|
||||
|
@ -46,14 +46,14 @@ final class PhabricatorAuthSSHKeyDeactivateController
|
|||
$name = phutil_tag('strong', array(), $key->getName());
|
||||
|
||||
return $this->newDialog()
|
||||
->setTitle(pht('Deactivate SSH Public Key'))
|
||||
->setTitle(pht('Revoke SSH Public Key'))
|
||||
->appendParagraph(
|
||||
pht(
|
||||
'The key "%s" will be permanently deactivated, and you will no '.
|
||||
'The key "%s" will be permanently revoked, and you will no '.
|
||||
'longer be able to use the corresponding private key to '.
|
||||
'authenticate.',
|
||||
$name))
|
||||
->addSubmitButton(pht('Deactivate Public Key'))
|
||||
->addSubmitButton(pht('Revoke Public Key'))
|
||||
->addCancelButton($cancel_uri);
|
||||
}
|
||||
|
|
@ -35,7 +35,7 @@ final class PhabricatorAuthSSHKeyViewController
|
|||
if ($ssh_key->getIsActive()) {
|
||||
$header->setStatus('fa-check', 'bluegrey', pht('Active'));
|
||||
} else {
|
||||
$header->setStatus('fa-ban', 'dark', pht('Deactivated'));
|
||||
$header->setStatus('fa-ban', 'dark', pht('Revoked'));
|
||||
}
|
||||
|
||||
$header->addActionLink(
|
||||
|
@ -80,7 +80,7 @@ final class PhabricatorAuthSSHKeyViewController
|
|||
$id = $ssh_key->getID();
|
||||
|
||||
$edit_uri = $this->getApplicationURI("sshkey/edit/{$id}/");
|
||||
$deactivate_uri = $this->getApplicationURI("sshkey/deactivate/{$id}/");
|
||||
$revoke_uri = $this->getApplicationURI("sshkey/revoke/{$id}/");
|
||||
|
||||
$curtain = $this->newCurtainView($ssh_key);
|
||||
|
||||
|
@ -95,8 +95,8 @@ final class PhabricatorAuthSSHKeyViewController
|
|||
$curtain->addAction(
|
||||
id(new PhabricatorActionView())
|
||||
->setIcon('fa-times')
|
||||
->setName(pht('Deactivate SSH Key'))
|
||||
->setHref($deactivate_uri)
|
||||
->setName(pht('Revoke SSH Key'))
|
||||
->setHref($revoke_uri)
|
||||
->setWorkflow(true)
|
||||
->setDisabled(!$can_edit));
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ abstract class PhabricatorAuthRevoker
|
|||
|
||||
private $viewer;
|
||||
|
||||
abstract public function revokeAlLCredentials();
|
||||
abstract public function revokeAllCredentials();
|
||||
abstract public function revokeCredentialsFrom($object);
|
||||
|
||||
public function setViewer(PhabricatorUser $viewer) {
|
||||
|
|
52
src/applications/auth/revoker/PhabricatorAuthSSHRevoker.php
Normal file
52
src/applications/auth/revoker/PhabricatorAuthSSHRevoker.php
Normal file
|
@ -0,0 +1,52 @@
|
|||
<?php
|
||||
|
||||
final class PhabricatorAuthSSHRevoker
|
||||
extends PhabricatorAuthRevoker {
|
||||
|
||||
const REVOKERKEY = 'ssh';
|
||||
|
||||
public function revokeAllCredentials() {
|
||||
$query = new PhabricatorAuthSSHKeyQuery();
|
||||
return $this->revokeWithQuery($query);
|
||||
}
|
||||
|
||||
public function revokeCredentialsFrom($object) {
|
||||
$query = id(new PhabricatorAuthSSHKeyQuery())
|
||||
->withObjectPHIDs(array($object->getPHID()));
|
||||
|
||||
return $this->revokeWithQuery($query);
|
||||
}
|
||||
|
||||
private function revokeWithQuery(PhabricatorAuthSSHKeyQuery $query) {
|
||||
$viewer = $this->getViewer();
|
||||
|
||||
// We're only going to revoke keys which have not already been revoked.
|
||||
|
||||
$ssh_keys = $query
|
||||
->setViewer($viewer)
|
||||
->withIsActive(true)
|
||||
->execute();
|
||||
|
||||
$content_source = PhabricatorContentSource::newForSource(
|
||||
PhabricatorDaemonContentSource::SOURCECONST);
|
||||
|
||||
$auth_phid = id(new PhabricatorAuthApplication())->getPHID();
|
||||
foreach ($ssh_keys as $ssh_key) {
|
||||
$xactions = array();
|
||||
$xactions[] = $ssh_key->getApplicationTransactionTemplate()
|
||||
->setTransactionType(PhabricatorAuthSSHKeyTransaction::TYPE_DEACTIVATE)
|
||||
->setNewValue(1);
|
||||
|
||||
$editor = id(new PhabricatorAuthSSHKeyEditor())
|
||||
->setActor($viewer)
|
||||
->setActingAsPHID($auth_phid)
|
||||
->setContinueOnNoEffect(true)
|
||||
->setContinueOnMissingFields(true)
|
||||
->setContentSource($content_source)
|
||||
->applyTransactions($ssh_key, $xactions);
|
||||
}
|
||||
|
||||
return count($ssh_keys);
|
||||
}
|
||||
|
||||
}
|
|
@ -139,7 +139,7 @@ final class PhabricatorAuthSSHKey
|
|||
public function describeAutomaticCapability($capability) {
|
||||
if (!$this->getIsACtive()) {
|
||||
return pht(
|
||||
'Deactivated SSH keys can not be edited or reactivated.');
|
||||
'Revoked SSH keys can not be edited or reinstated.');
|
||||
}
|
||||
|
||||
return pht(
|
||||
|
|
|
@ -43,11 +43,11 @@ final class PhabricatorAuthSSHKeyTransaction
|
|||
case self::TYPE_DEACTIVATE:
|
||||
if ($new) {
|
||||
return pht(
|
||||
'%s deactivated this key.',
|
||||
'%s revoked this key.',
|
||||
$this->renderHandleLink($author_phid));
|
||||
} else {
|
||||
return pht(
|
||||
'%s activated this key.',
|
||||
'%s reinstated this key.',
|
||||
$this->renderHandleLink($author_phid));
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue